QwikSec

Security Database

CVE

CWE

Training

CVE-2021-43803

Published: Dec 9, 2021

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.

Vendor	Product	Versions
vercel	next.js	affected `>= 11.1.0, < 11.1.3` affected `>= 12.0.0, < 12.0.5`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx

x_refsource_CONFIRM

https://github.com/vercel/next.js/pull/32080

x_refsource_MISC

https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264

x_refsource_MISC

https://github.com/vercel/next.js/releases/tag/v11.1.3

x_refsource_MISC

https://github.com/vercel/next.js/releases/v12.0.5

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.